An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Category Archives: Enforcement

Update (April 10, 2014): For a more recent update on this case, please see this post.

Since our last update, there has been some interesting activity in the matter concerning the Federal Trade Commission’s (FTC) complaint against Wyndham Worldwide, currently pending before the U.S. District Court for the District of New Jersey, and I thought this might be a good time for an update on these proceedings. This case has drawn considerable attention, mainly due to Wyndham’s challenge of the FTC’s authority to bring a data security enforcement action on unfairness grounds under Section 5 of the FTC Act. The outcome in this matter may very well have a profound effect on the FTC’s ability to regulate data security.

When we last discussed this matter, Wyndham’s motions to dismiss the FTC’s complaint, asserting, inter alia, that the FTC lacked the legal authority to enforce data security standards for private businesses, were before the court. On November 7, 2013, Judge Esther Salas heard oral argument on these motions. Wyndham opened by citing FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), as support for their proposition that the FTC’s data security standards exceeded the agency’s authority. Judge Salas remained skeptical during the hearing, stating that she thought Brown & Williamson was distinguishable.

Wyndham further argued that the FTC’s informal data security guidelines are insufficient, and do not provide fair notice of what is required under Section 5. Wyndham questioned both the FTC’s authority as well as their expertise in this area. The FTC countered by asserting that its data security guidelines, which include best practices and past consent decrees, put businesses on notice of what is required to meet a standard of reasonableness.

Following oral argument, Judge Salas denied Wyndham’s motion to stay discovery proceedings, but did not immediately address Wyndham’s other pending motions to dismiss. On December 27, Judge Salas ordered the parties to submit a supplemental, joint letter brief to the Court, addressing the two outstanding motions to dismiss. The parties filed their joint letter brief on January 21.

In the brief, Wyndham once again argued that the FTC lacks the statutory authority to regulate data security practices for every American company. Wyndham pointed out that Congress has limited the FTC’s data security power to only certain, well-defined areas, citing the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA) as evidence of these boundaries. Wyndham dismissed the FTC’s argument that FCRA, GLBA, and COPPA merely supplement the FTC’s existing data security authority as “revisionist history.”

In addition, Wyndham refuted the theory first raised by the FTC at oral argument, that Congress “understood Section 5 to provide the FTC with general police power over data-security matters,” but enacted FCRA, GLBA, and COPPA “for the limited purpose of freeing the Commission from the need to prove substantial consumer injury in specific contexts” as “a far-fetched reconstruction” of Congressional intent. Wyndham cited the context and legislative history of the FCRA, GLBA, and COPPA as further proof that the FTC is exceeding its authority, stating that Congress enacted these statutes “precisely because it believed that data security was not covered by existing statutory provisions, including Section 5 of the FTC Act.” (emphasis in original).

Finally, Wyndham reasserted that, even if the FTC is correct in its understanding of the statutes, they have not provided businesses fair notice required by the Due Process Clause. Wyndham points out that the “FTC has not published any rules, regulations, or guidelines explaining to businesses what data-security protections they must employ to comply with the FTC’s interpretation of Section 5 of the FTC Act.” This has been a growing concern among U.S. businesses, which face a daily struggle against data breaches and other related information security incidents, and are unsure of what “reasonable data security practices” might mean.

In its section of the brief, the FTC responded by asserting that “Section 5 of the FTC Act applies by its terms to all unfair commercial practices,” and “is not susceptible to a ‘data security’ exception.” The FTC highlighted the recent LabMD and Verizon decisions as supporting their argument for statutory authority.

The FTC also reiterated its position that the FCRA, GLBA, and COPPA permit the FTC to enforce these statutes using “additional enforcement tools,” which differentiate them from the FTC Act. Further, the FTC argues that where the FTC Act “merely authorizes,” the FCRA, GLBA, and COPPA “affirmatively compel the FTC to use its authority in particular ways” in certain contexts, which does not “divest the [FTC] of its preexisting and much broader authority to protect consumers against ‘unfair’ practices.”

Finally, the FTC pointed out that, while the court did not request additional briefing on the due process question, they felt obliged to respond to Wyndham’s claim on this point. The FTC asserted that to follow Wyndham’s argument would “undermine 100 years of FTC precedent,” and would “crash headlong” into Supreme Court precedent regarding Section 5 of the FTC Act.

Of note, the FTC has also been making similar arguments before Congress, where the FTC has expressed its support for new data security legislation. In hearings held before House Energy and Commerce Committee, the FTC emphasized its ongoing efforts to promote data security through civil law enforcement, education, and policy initiatives.

The court accepted parties’ brief and submissions of supplemental authority on January 23, and granted Wyndham’s request to submit a five-page letter brief in order to respond to the substantive issues raised by the FTC’s inclusion of the LabMD and Verizon decisions. Wyndham filed this brief on January 29, citing multiplenegativeresponses to these decisions in the press as evidence of a breach of the “fundamental principles of fair notice” that “imposes substantial costs on business.”

Judge Salas has not yet responded to these arguments, but we will certainly be keeping a very close eye on these proceedings and its implications for the FTC regulation of data security standards.

Unmanned aerial vehicles, better known as drones, are expected to revolutionize the way companies deliver packages to their customers. Some also imagine these small aircrafts delivering pizzas to a customer’s home or nachos to a fan at a ballgame. Researchers are even investigating the possibility of using drones to assist farmers with monitoring their crops. Before drone technology takes flight, however, it will have to maneuver through privacy laws.

The Federal Aviation Administration (FAA) is the agency charged with developing rules, including privacy rules, for private individuals and companies to operate drones in national airspace. While the precise breadth of FAA rules is not entirely clear, a framework is beginning to develop. When the FAA recently announced test sites for drones, it also noted that test site operators must: (1) comply with existing federal and state privacy laws, (2) have publicly available privacy policies and a written plan for data use and retention, and (3) conduct a review of privacy practices that allows for public comment. When soliciting the public for comment on these test site-privacy rules, the FAA received a wide spectrum of feedback. This feedback ranged from suggestions that the agency must articulate precise elements of what constitutes a privacy violation, to the federal agency was not equipped (and therefore should not attempt) to regulate privacy at all. It appears that the FAA settled on a middle ground of requiring drones to comply with existing privacy law, which is largely regulated by individual states.

Accordingly, state privacy laws are likely to be the critical privacy hurdle to commercial drone use. It appears that only four states have thus far expressly addressed the use of private drones (as distinguished from drones used by public agencies, such as law enforcement). Idaho and Texas generally prohibit civilians from using a drone to take photographs of private property. They also restrict photography of any individual – even in public view – by such a drone. And Oregon prevents drones from flying less than 400 feet above a property of a person who makes such a request. The fourth state, Illinois, restricts use of drones that interfere with hunting and fishing activities.

As for the other states, they may be simply getting up to speed on the technology. On the other hand, many of these states have considered or enacted laws restricting use of drones by the police. Because these laws are silent on the use of private drones, one could argue that these states intentionally chose not to regulate private drones (and accordingly, existing laws regarding use of aircrafts or other public cameras, govern use of private drones).

Even though a state has passed a drone-related privacy law, it may very well be challenged on constitutional or other grounds. For instance – to the extent they prohibit photography of public areas or objects and people in plain view – the Idaho and Texas laws may raise First Amendment questions. As described in Hurley v. Irish-American, photographers generally receive First Amendment protection when taking public photos if he or she “possessed a message to be communicated” and “an audience to receive that message, regardless of the medium in which the message is to be expressed.” Under this test, in Porat v. Lincoln Towers Community Association, a photo hobbyist taking pictures for aesthetic and recreational purposes was denied First Amendment protection. In contrast, in Pomykacz v. Borough of West Wildwood, a “citizen activist” – whose pictures were taken out of concern about an affair between a town’s mayor and a police officer – was found to have First Amendment protection. To be sure, however, the Supreme Court has acknowledged that “even in a public forum the government may impose reasonable restrictions on the time, place, or manner of protected speech, provided the restriction are justified without reference to the content of the regulated speech, that they are narrowly tailored to serve a significant governmental interest, and that they leave open ample alternative channels for communication of the information.” For example, under this premise, some courts have upheld restrictions on public access to crime and accident scenes. All told, we may see drone users assert First Amendment protection for photographs taken of public areas.

Another future legal challenge may involve the question of who owns the airspace above private property. In United States v. Causby, the Supreme Court appeared to reject the idea of private ownership of airspace. More specifically, it held that government aircrafts flying over private land do not amount to a government “taking”, or seizure of private property, unless the aircrafts are so low and frequent that they constitute an immediate interference with enjoyment of the land. In other words, under Causby, the landowner owns the airspace necessary to use and enjoy the land. But the Court declined to draw a specific line. At the moment, it is unclear whether Oregon’s law – restricting drones within 400 feet of a home – is consistent with principle.

Lastly, we may see a legal challenge asserting that certain state privacy laws (such as the Idaho or Texas law or others that disallow drone use altogether) are preempted, or trumped. Congress’s intent to impliedly preempt state law may be inferred (1) from a pervasive scheme of federal regulation that Congress left no room for the states to supplement, or (2) where Congress’s actions touch a field in which the federal interest is so dominant that the federal system will be assumed to preclude enforcement of state laws on that subject. Applied here, one could argue that Congress has entrusted the FAA with sole authority for creating a scheme for regulating the the narrow field of national airspace, and drones in particular. Additionally, the argument goes, the federal government has a dominant interest in regulating national airspace as demonstrated by the creation of the FAA and numerous other aircraft regulations. Under the preemption line of reasoning, state privacy laws may be better focused on regulating data gathered by the drone rather than the space where the drone may fly or actions the drone may take while in the space (e.g. taking pictures).

All told, before official drone liftoff, companies employing drones will have to wait for final FAA rules on privacy. Whether these final rules track the test site rules discussed above is not for certain. Likely, the final rules will depend on the public comments received by the drone test sites. Assuming the final rules track the test site rules, companies using commercial drones should focus on compliance with the various state privacy laws. But, as noted above, we may see a constitutional challenge to these laws along the way. Stay tuned.

Edit (Feb. 5, 2014): For a more recent update on this case, please see this post.

On November 1, Maureen Ohlhausen, a Commissioner at the Federal Trade Commission (FTC), held an “ask me (almost) anything” (AMAA) session on Reddit. There were no real surprises in the questions Commissioner Ohlhausen answered, and the AMAA format is not well-suited to lengthy responses. One interesting topic that did arise, however, was the FTC’s complaint against Wyndham Worldwide Corporation, and Wyndham’s subsequent filing of a motion to dismiss the FTC action against them. Commissioner Ohlhausen declined to discuss the ongoing litigation, but asserted generally that the FTC has the authority to bring such actions under Section 5 of the FTC Act, 15 U.S.C. § 45. While there were no unexpected revelations in the Commissioner’s response, I thought it presented an excellent opportunity to bring everyone up to speed on the Wyndham litigation.

On June 26, 2012, the Federal Trade Commission (FTC) filed a complaint in Arizona Federal District Court against Wyndham Worldwide Corporation, alleging that Wyndham “fail[ed] to maintain reasonable security” on their computer networks, which led to a data breach resulting in the theft of payment card data for hundreds of thousands of Wyndham customers, and more than $10.6 million in fraudulent charges on customers’ accounts. Specifically, the complaint alleged that Wyndham engaged in deceptive business practices in violation of Section 5 of the FTC Act by misrepresenting the security measures it undertook to protect customers’ personal information. The complaint also alleged that Wyndham’s failure to provide reasonable data security is an unfair trade practice, also in violation of Section 5.

On August 27, 2012, Wyndham responded by filing a motion to dismiss the FTC’s complaint, asserting, inter alia, that the FTC lacked the statutory authority to “establish data-security standards for the private sector and enforce those standards in federal court,” thus challenging the FTC’s authority to bring the unfairness count under the FTC Act. In their October 1, 2012 response, the FTC asked the court to reject Wyndham’s arguments, stating that the FTC’s complaint alleged a number of specific security failures on the part of Wyndham, which resulted in two violations of the FTC Act. The case was transferred to the Federal District of New Jersey on March 25, 2013, and Wyndham’s motions to dismiss were denied. On April 26, Wyndham once again filed motions to dismiss the FTC’s complaint, again asserting that the FTC lacked the legal authority to legislate data security standards for private businesses under Section 5 of the FTC Act.

At stake in this litigation is the FTC’s ability to bring enforcement claims against companies that suffer data breach due to a lack of “reasonable security.” What is unique in this case is Wyndham’s decision to fight the FTC action in court rather than make efforts to settle the case, as other companies have done when faced with similar allegations by the FTC. For example, in 2006, the FTC hit ChoicePoint Inc. with a $10 million penalty over data breach where over 180,000 payment card numbers were stolen. The FTC has also gone after such high-profile companies as Twitter, HTC, and Google based on similar facts and law. These actions resulted in out-of-court settlements.

If Wyndham’s pending motions to dismiss are denied, and the FTC ultimately prevails in this case, it is likely that the FTC will continue to bring these actions, and businesses will likely see an increased level of scrutiny applied to their network security. If, however, Wyndham succeeds and the FTC case against them is dismissed, public policy questions regarding data security will likely fall back to Congress to resolve.

Oral argument for the pending motions to dismiss are scheduled for November 7. No doubt many parties will be following these proceedings with great interest.

The Massachusetts Attorney General recently announced a $7,500 settlement with Belmont Savings Bank following a data breach in which an unencrypted backup computer tape was lost after an employee failed to follow the bank’s policies and procedures. This tape contained the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents.

The tape was lost in May 2011, when an employee left it on a desk rather than storing it in a vault for the night. Surveillance footage showed that the tape was then thrown away by the cleaning crew. The tape was most likely incinerated by the bank’s waste disposal company, and the bank has indicated that it has no evidence that the Massachusetts residents’ personal information had been acquired or used by an unauthorized person.

In addition to the $7,500 penalty, the settlement requires Belmont Savings Bank to mitigate the risk of future data breaches by:

The ABA Antitrust Section spring meeting began March 30, 2011, and features a number of programs focusing on privacy and data security issues. In the “Zeroing in on Behavioral Targeting” program, panelists from the Federal Trade Commission (“FTC”), the Washington state attorney general’s office, and law firm privacy experts discussed current issues and legal actions involving online behavioral targeting.

Panelists included Becky Burr of WilmerHale; Tina Kondo, Deputy Attorney General with the Washington State Office of the Attorney General; Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection; and David Parisi with Parisi & Havens, LLP.

Yesterday, that Massachusetts Attorney General’s Office announced a settlement with the Briar Group LLC, which operates several restaurants and bars including The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar, and The Harp in the Boston area, to resolve allegations that the Briar Group failed to take reasonable steps to protect its patrons’ personal information.

The complaint alleges that the restaurant group suffered a data breach in April 2009. Hackers were able to access customers’ credit and debit card information, including names and account numbers, through malcode that was installed on the Briar Group’s computer systems. The malcode was not removed until December 2009. The complaint also alleges that the Briar Group had insufficient security protections in place, such as allowing multiple employees to share commons usernames and passwords and failing to properly secure its wireless network.